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1  Objectives 

The  objective  was  to  enable  construction  of  attack-resistant  cyber-systenrs. 
Various  classes  of  defenses  were  studied  and,  in  some  cases,  prototype  sys¬ 
tems  were  built.  Not  only  did  the  prototypes  provide  insight  into  classes  of 
defenses,  but  they  provided  experience  we  leveraged  for  evolving  the  science 
base  for  cyber-security. 

Specific  topics  that  we  investigated  under  the  auspices  of  this  AFOSR 
funding  included: 

•  Leveraging  trustworthy  hardware  to  increase  assurance  that  unmodi¬ 
fied  system  software  and  applications  are  executing.  We  explored  this 
question  both  for  stand-alone  desktop  computers  and  for  clouds. 

•  Understanding  use  policies  that  are  associated  with  information,  with 
support  for  re-classification  as  a  computation  proceeds.  Information- 
flow  enforcement  is  based  on  tagging  values  with  policies  that  charac¬ 
terize  allowed  readers  or  trusted  writers;  we  also  explored  extensions 
for  other  kinds  of  restrictions  on  use  (including  privacy). 
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2  Summary  of  Completed  Research 

2.1  Trusted  Computing  Implementations 

Secure  coprocessors,  such  as  industry  standard  Trusted  Platform  Modules 
(TPMs),  are  becoming  ubiquitous.  This  hardware  can  be  a  foundation  for 
software  systems  that  offer  strong  guarantees  about  run  time  behavior.  Yet, 
there  is  a  significant  gap  between  the  primitives  provided  by  TPMs  and  the 
forms  of  assurance  actually  required  for  applications. 

We  explored  two  ways  to  close  that  gap: 

•  We  developed  a  new  operating  system  (Nexus)  that  employs  TPM’s. 
Nexus  embodies  an  authorization  architecture  that  unifies  a  broad  set 
of  approaches  for  establishing  whether  a  request  can  be  trusted  and, 
thus,  should  be  granted. 

•  We  developed  a  framework  (CloudProxy)  that  can  be  deployed-  -for 
software  at  any  and  all  levels  of  the  software  stack — the  isolation  and 
authentication  guarantees  that  TPMs  enable.  CloudProxy  can  be  used 
to  protect  applications  running  as  tenants  in  a  remote  cloud,  even  if 
the  cloud’s  operations  staff  cannot  be  trusted. 

Nexus:  Logical  Attestation.  The  key  primitive  provided  by  secure 
coprocessors  is  hash-based  attestation,  whereby  a  certificate  captures  the 
launch-time  hash  of  components  comprising  the  software  stack  and  associ¬ 
ated  configuration  hies.  Hash-based  attestation  forces  all  trust  decisions  to 
be  axiomatic,  because  principals  are  being  trusted  by  hat.  Access  control 
lists  that  enumerate  principals  by  name,  digital  signatures  to  certify  that  a 
particular  piece  of  code  was  vetted  by  a  particular  vendor,  and  authorization 
based  on  program  hashes  are  all  instances  of  the  axiomatic  basis  for  trust. 

An  alternative  method  of  establishing  trust  is  to  employ  an  analysis  that 
predicts  whether  certain  behaviors  by  a  program  are  possible.  Proof  carry¬ 
ing  code,  in  which  a  program  is  accompanied  by  a  proof  that  its  execution 
satishes  certain  properties,  instantiates  this  analytical  basis  for  trust.  Sim¬ 
ilarly,  systems  that  employ  typecheckers  and  domain-specific  languages,  in 
which  code  snippets  are  loaded  and  executed  only  if  the  code  is  deemed  safe, 
are  employing  analysis  for  establishing  trust. 

Finally,  a  synthetic  basis  for  trust  is  involved  when  a  program  is  trans¬ 
formed  prior  to  execution  and  the  transformed  artifact,  by  construction, 
can  be  trusted  in  ways  that  the  original  could  not.  Sandboxing  SFI,  inlined 
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reference  monitors,  and  other  program  rewriting  techniques  create  such  a 
synthetic  basis  for  trust. 

Today’s  operating  systems  provide  disparate  mechanisms  to  implement 
these  three  bases  of  trust.  The  challenge  was  to  unify  them  into  a  sin¬ 
gle  authorization  architecture.  Nexus  does  that  unification  with  its  logi¬ 
cal  attestation  approach  to  authorization.  In  logical  attestation,  a  labeling 
function  generates  an  attributed  statement  called  a  label  and  expressed  in 
NAL  (Nexus  Authorization  Logic),  a  constructive  logic  of  beliefs.  Labels 
are  unforgeable,  machine-parseable  statements  of  the  form  “P  says  5”  that 
capture  information  relevant  to  authorization  decisions  involving  principal 
P.  A  bitstring  that  encodes  a  label  is  known  as  a  credential.  Since  labeling 
functions  can  be  provided  by  third  parties  and  labels  are  logical  statements, 
a  rich  set  of  properties  become  available  for  authorizing  access  requests. 
These  properties  can  incorporate  references  to  dynamic  system  state,  in¬ 
cluding  the  current  time,  current  resource  availability,  and  even  history. 
Labels  used  in  proofs  assert  reasons  why  a  principal  might  be  trusted;  the 
proofs  are  checked  by  guards  and  constitute  the  basis  for  deciding  whether 
to  grant  or  deny  a  request. 

Nexus  executes  on  x86  platforms  equipped  with  a  TPM,  supports  much 
of  the  Posix  API,  and  natively  executes  many  Linux  applications.  It  seems 
to  have  been  the  first  operating  system  to  implement  logic-based  authoriza¬ 
tion  with  dynamic  system  state,  the  first  to  implement  operating  system 
capabilities  based  on  statements  issued  by  a  TPM,  and  the  first  to  support 
all  three  bases  for  trust  in  a  single  unified  framework. 

Logical  attestation  enables  novel  authorization  functionality  and  pro¬ 
vides  strong  and  useful  guarantees  today’s  systems  cannot  provide.  We 
illustrated  its  power  by  developing  a  cloud  computing  application,  called 
Fauxbook,  that  implements  guarantees  about  safety,  confidentiality,  and  re¬ 
source  control.  Fauxbook  provides  a  familiar  social  networking  experience, 
where  users  publicly  post  and  exchange  status  messages.  The  Nexus  autho¬ 
rization  architecture  even  blocks  Fauxbook  developers  from  examining  or 
data-mining  information  Fauxbook  handles.  Moreover,  logical  attestation 
enabled  the  cloud-infrastructure  operator  to  guarantee  certain  forms  of  re¬ 
source  availability  to  Fauxbook  developers.  Experiments  showed  that  the 
cost  of  authentication  with  logical  attestation  in  Fauxbook  is  on  the  order  of 
lms,  and  it  can  be  reduced  to  20  cycles  with  proof  caching,  an  optimization 
we  describe  later. 
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CloudProxy.  CloudProxy  is  a  new  framework  that  supports  secure  de¬ 
ployment  of  applications  to  clouds,  defends  against  insider  attacks,  and  pro¬ 
vides  protocols  for  automatic  key  management.  Data  managed  by  Cloud¬ 
Proxy  is  never  stored  or  transmitted  in  unencrypted  form,  and  cryptographic 
keys  are  provisioned  in  a  way  that  defends  against  malicious  operators  or 
other  data-center  insiders.  Protocols  are  provided  for  remote  or  local  clients 
to  authenticate  the  executable  and  execution  environment  of  a  server  and 
for  a  server  to  authenticate  the  executable  and  execution  environment  of  its 
clients.  Three  prototype  applications  have  been  implemented  to  evaluate 
the  utility  of  CloudProxy:  FileProxy,  a  file  service;  AuthProxy,  an  authen¬ 
tication  service  for  remote  third  parties;  and  BidProxy,  an  auction  service. 
Performance  measurements  demonstrated  that  CloudProxy  is  a  practical 
way  to  support  secure,  distributed  applications. 

CloudProxy  combines  hardware-based  memory  isolation  along  with  un- 
forgeable  measurement-based  security  principals  as  supported  by  Trusted 
Platform  Modules  (TPMs)  and  other  secure  co-processors.  Measurement- 
based  security  principals  associate  a  cryptographic  key  with  some  measure¬ 
ment  value.  Only  principals  having  that  associated  measurement  value  are 
permitted  to  access  and  use  the  key.  The  measurement  value  typically  com¬ 
bines  the  hash  of  a  requesting  program’s  executable  with  any  environment 
information  that  affects  program  execution — for  example,  boot  parameters 
and  information  identifying  the  host  execution  environment.  Consequently, 
the  capability  to  generate  digital  signatures  or  to  decrypt  data  is  available 
only  to  unmodified  programs  being  executed  in  unmodified  environments. 

Specialized  hardware  is  just  one  way  to  implement  measurement-based 
security  principals,  but  embodiments  of  CloudProxy  are  not  limited  to  the 
lowest  level  of  a  system’s  software  stack.  Moreover,  CloudProxy  can  be 
deployed  recursively,  because  a  host  system  supporting  it  necessarily  has 
means  to  enable  its  hosted  programs  to  instantiate  a  CloudProxy  for  pro¬ 
grams  that  they  host.  For  example,  we  implemented  a  stack  of  three  levels, 
each  instantiating  a  CloudProxy:  the  Trusted  Hardware  (TrHW)  supports 
a  CloudProxy  for  an  operating  system  called  Trusted  OS  (TrOS);  and  TrOS 
provides  a  CloudProxy  for  programs  running  as  activity  elements  which, 
together,  comprise  an  activity.  An  activity  is  an  instance  of  a  distributed 
computation  executing  on  behalf  of  some  activity  owner.  And  an  activity 
owner  policy  specifies  authenticated  claims  that  must  accompany  a  request 
in  order  for  that  request  to  be  deemed  authorized. 

Cryptography  is  a  key  ingredient  for  CloudProxy.  It  protects  confiden¬ 
tiality  and  integrity  of  data  stored  on  secondary  storage  or  sent  over  to  clients 
of  a  hosted  application.  It  is  used  to  authenticate  activity  elements  to  their 
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clients.  And  it  is  used  in  claims-based  authorization  for  controlling  access 
to  activity  functionality.  So,  the  CloudProxy  framework  includes  means 
to  provision  cryptographic  keys,  providing  a  small,  independently-deployed 
component  (hence,  easily  trusted)  along  with  protocols  that  defend  against 
malicious  actions  by  data-center  operators  or  employees. 

2.2  Use  Policies 

Reactive  Information  Flow  Policies.  An  information  flow  label  is  a 
tag  that  gives  restrictions  on  the  use  of  a  tagged  value  v  and  all  values 
derived  from  v. 

•  For  confidentiality,  it  specifies  which  principals  can  read  the  tagged 
value  or  can  read  values  derived  from  the  tagged  value. 

•  For  integrity,  it  specifies  which  principals  must  be  trusted  in  order  to 
trust  the  tagged  value  and  any  values  derived  from  that  tagged  value. 

Notice  that  information  flow  labels  offer  end-to-end  guarantees — they  specify 
current  and  future  use  of  information,  regardless  of  what  variable  stores  that 
information  or  how  that  information  was  derived.  In  contrast,  access  control 
policies  restrict  access  to  specific  information  containers,  independent  of 
what  the  container  stores  or  how  the  value  it  stores  was  derived. 

Restrictions  imposed  on  a  derived  value  v  ought  to  depend  on  (i)  the 
information  flow  labels  that  tag  initial  values  and  (ii)  the  operations  involved 
in  deriving  v  from  those  initial  values.  It  is  naive,  however,  simply  to  tag  a 
derived  value  v  with  the  set  of  the  information  flow  labels  associated  with 
the  values  from  which  v  was  derived  and,  thus,  impose  the  conjunction  of 
those  restrictions.  Operations  transform  their  arguments  to  produce  new 
values,  and  a  given  transformation  might  warrant  a  reclassification  because 
restrictions  associated  with  inputs  to  the  operation  no  longer  apply  to  the 
result  produced.  With  a  strong  cryptosystem,  for  example,  any  principal 
ought  to  be  allowed  to  read  the  value  of  Encrypt  ( x,  key )  even  though  only 
a  few  principals  are  allowed  to  read  the  values  of  x  and  key.  So  we  would 
be  justified  in  associating  weaker  restrictions  with  the  output  of  Encrypt 
operations  than  were  associated  with  the  inputs. 

Reactive  information  flow  labels  (RIF  labels)  specify  (i)  restrictions  on 
the  use  of  a  value  as  well  as  (ii)  how  those  restrictions  change  in  response 
to  operations  that  transform  the  value.  Thus,  RIF  labels  make  explicit  the 
connection  between  information  transformations  and  changes  to  restrictions. 
For  example,  a  RIF  label  might  assert  that  only  some  principal  A  (say)  is 

5 


DISTRIBUTION  A:  Distribution  approved  for  public  release. 


allowed  to  read  values  x  and  key,  any  principal  may  read  the  output  of 
Encrypt{x,  key),  and  only  principals  that  can  read  key  are  allowed  to  read 
the  output  of  Decrypt(y,key).  So  Encrypt (x,  key)  has  weaker  restrictions 
than  x  but  Decrypt  (y ,  key)  has  stronger  restrictions  than  y. 

Under  the  auspices  of  this  AFOSR  grant,  we  derived  a  theory  for  RIF 
labels.  We  also  defined  a  security  condition  that  makes  sense  as  the  goal 
when  values  have  been  tagged  with  RIF  labels.  Classical  non-interference 
does  not  work,  since  it  cannot  handle  reclassifications  that  weaken  restric¬ 
tions.  Piecewise  noninterference  (PWNI)  extends  classical  noninterference 
in  a  way  that  does  allow  values  to  be  reclassified  in  arbitrary  ways.  We  also 
investigated  static  enforcement  (i.e. ,  compile-time  analysis)  for  programs 
where  variable  declarations  include  RIF  labels.  Here,  we  designed  a  type 
system  whose  type  correctness  implies  PWNI. 

The  type  system  for  RIF  labels  makes  minimal  assumptions  about  the 
underlying  mathematical  structures  used  for  defining  labels: 

•  label  L  U  L'  that  embodies  the  restrictions  of  labels  L  and  L'  has  a 
representation  as  a  RIF  label  and  is  computable  from  labels  L  and  L' 

•  it  is  decidable  whether  one  label  L  is  more  restrictive  than  some  other 
label  L' 

Two  families  of  mathematical  structures,  which  satisfy  these  conditions, 
have  been  explored  as  the  basis  of  RIF  labels  that  seem  useful  in  practice: 
finite  state  automata  (where  states  correspond  to  restrictions  and  state  tran¬ 
sitions  correspond  to  operations)  and  stacks  specialized  for  cryptographic 
operations  (where  push  and  pop  are  used  to  record  the  nesting  of  the  opera¬ 
tions  and  keys  used  in  generating  values) .  The  two  families  can  be  combined 
to  handle  applications  that  use  fully  homomorphic  encryption. 

To  demonstrate  the  practicality  and  utility  of  automata-based  RIF  la¬ 
bels,  JRIF,  a  new  dialect  of  Java  was  developed.  JRIF  derives  from  Myer’s 
Jif  compiler  and  runtime.  Jif’s  labels,  which  are  based  on  JIF’s  Decentral¬ 
ized  Label  Model,  were  replaced  by  RIF  automata,  and  Jif’s  restrictiveness 
relation  on  labels  was  modified  accordingly.  Our  experience  in  building  and 
using  JRIF  gives  confidence  that  other  languages  for  information  flow  con¬ 
trol  could  be  extended  similarly.  We  also  programmed  two  JRIF  applications 
that  leverage  the  expressive  power  of  RIF  automata:  a  Battleship  game  and 
a  shared  calendar  application.  This  exercise  demonstrated  that  RIF  au¬ 
tomata  are  easy  to  use.  A  public  release  of  the  source  code  for  the  JRIF 
compiler  and  runtime,  along  with  the  example  applications,  are  available  for 
download  from  the  JRIF  web  page. 
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Use-Based  Privacy.  In  response  to  all  the  criticisms  about  notice  and 
consent,  there  has  been  a  resurgent  focus  on  viewing  privacy  in  terms  of 
limitations  on  data  use.  In  some  cases,  the  emphasis  is  placed  on  preventing 
harmful  uses  without  explicit  user  control,  in  others,  the  emphasis  is  on 
enabling  user  control  over  data  uses.  Since  different  users  are  likely  to  have 
different  opinions  regarding  what  constitutes  a  privacy  violation  and  since 
there  is  no  consensus  on  how  to  define  “harmful”  we  decided  to  explore 
options  for  enabling  user  control. 

Data  use  can  occur  at  any  point  after  data  is  collected,  so  control  over 
data  use  naturally  aligns  with  the  idea  of  policy  tags.  Policy  tags  are  labels 
that  travel  with  a  value  and  express  limitations  on  how  that  value  may  be 
used.  Goals  that  motivated  the  design  of  our  scheme  are: 

•  Expressiveness:  Users  should  be  able  to  control  how  their  data  are 
used  as  well  as  what  data  become  known  (both  by  a  service  provider 
with  which  they  interact  and  by  third  parties). 

•  Scalability:  The  burden  placed  on  users  should  be  reasonable,  even 
if  users  interact  with  many  service  providers. 

•  Transparency:  Privacy  policies  should  be  easily  understood  and 
transparent.  They  should  clearly  specify  how  observed  data  and  de¬ 
rived  values  are  used. 

•  User  Policy  Revision:  Users  should  be  allowed  to  revise  privacy 
policies  and,  thereafter,  should  enforce  the  revision. 

•  Enforcement:  Some  enforcement  mechanism  ensures  policy  compli¬ 
ances. 

In  order  to  realize  these  goals,  we  developed  avenance  tags.  Avenance  tags 
use  a  new  language  for  expressing  privacy  policies  and  are  handled  in  the 
context  of  an  avenance  ecosystem.  The  connection  between  avanance  tags 
and  RIF  labels  should  be  clear;  and  it  allows  us  to  leverage  insights  we  have 
developed  for  RIF  labels. 

3  Impacts  on  the  Community 

It  can  be  difficult  for  new  ideas  to  have  an  immediate  impact.  However, 
NSA’s  funding  for  its  Science  of  Security  Lablets  at  univerities  and,  more 
recently,  their  initiative — supported  by  a  series  of  workshops — to  define  a 
“science”  of  privacy  have  been  heavily  influenced  by  our  advocacy  for  these 
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foundational  approaches  to  security  and  privacy.  (And  NSA  consulted  with 
the  PI  extensively  about  both  initiatives.) 

There  are  other  less-direct  transitions  from  the  Pi’s  involvement  in  var¬ 
ious  advisory  capacities  during  the  period  of  this  funding. 

•  Schneider  served  as  Chief  Scientist  of  the  NSF  TRUST  Science  and 
Technology  Center,  which  included  U.C.  Berkeley,  Carnegie-Mellon 
University,  Cornell  University,  Stanford  University,  and  Vanderbilt 
University. 

•  Schneider  was  a  member  of  the  following  industrial  advisory  boards: 
Accuvant;  Fortify  Software  Technical  Advisory  Board;  Intel  Science 
and  Technology  Center  for  Secure  Computing;  Microsoft’s  Trustwor¬ 
thy  Computing  Academic  Advisory  Board  (co-chair);  Riskive  Techni¬ 
cal  Advisory  Board  (chair);  and  ZeroFox  Technical  Advisory  Board 
(chair) . 

•  Schneider  served  on  the  following  other  advisory  committees:  Com¬ 
puter  Science  and  Telecommunications  Board,  National  Academies; 
Computing  Research  Association  Board  of  Directors;  Computing  Com¬ 
munity  Consortium  Council;  Cyber  Security  Research  Alliance;  De¬ 
fense  Science  Board;  EPIC  Advisory  Board,  Lincoln  Laboratories;  Fo¬ 
rum  on  Cyber- Resiliences,  National  Academies  (chair  and  founder); 
NSA  best  scientific  cybersecurity  paper  award  panel;  Naval  Studies 
Board,  National  Academies;  and  NIST  Information  Security  and  Pri¬ 
vacy  Advisory  Board. 

•  Schneider  served  on  the  study  committee  for  the  following  DoD-related 
reports: 

—  Review  of  U.S.  Navy  Cyber  Defense  Capabilities.  Naval  Studies 
Board,  National  Academies. 

—  Study  on  Supply  Chain  Security.  Defense  Science  Board.  In 
progress. 


4  Publications  Supported 

1.  Nexus  Authorization  Logic.  ACM  Transactions  on  Information  and 
System  Security  14,  1  (2011),  Article  8.  And  Kevin  Walsh,  Emin  Gun 
Sirer. 
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2.  NetQuery:  A  Knowledge  Plane  for  Reasoning  about  Network  Proper¬ 
ties.  Proceedings  of  ACM  SIGCOMM  2011  (Toronto,  Ontario,  Canada 
August  2011),  278-289.  With  Alan  Shieh  and  Emin  Gun  Sirer. 

3.  Logical  Attestation:  An  Authorization  Architecture  for  Trustworthy 
Computing.  SOSP'll  Proceedings  of  23rd  ACM  Symposium  on  Oper¬ 
ating  Systems  Principles  (Cascais,  Portugal,  October  2011),  249-264. 
With  Emin  Gun  Sirer,  Willem  De  Bruijin,  Patrick  Reynolds,  Alan 
Shieh,  Kevin  Walsh,  and  Dan  Williams. 

4.  A  Doctrinal  Thesis.  Editorial.  IEEE  Security  &  Privacy  9,  4  (July /August 
2011),  3-4.  With  Deirdre  Mulligan. 

5.  Doctrine  for  Cyber  security.  Daedalus.  Fall  2011,  70-92.  With  Deirdre 
Mulligan 

6.  Beyond  Traces  And  Independence.  Dependable  and  Historic  Comput¬ 
ing.  Essays  Dedicated  to  Brian  Randell  on  the  Occasion  of  His  75th 
Birthday ,  Lecture  Notes  in  Computer  Science,  Vol.  6875  (Cliff  Jones 
and  John  Lloyd,  eds).  Springer  Verlag,  2011,  479-485. 

7.  Computing  researchers  get  ’schooled’  on  science  policy  at  CCC  work¬ 
shop.  Computing  Research  News  Volume  24,  No.  1  (January  2012). 
With  Peter  Harsha. 

8.  Blueprint  for  a  Science  Of  Cybersecurity.  The  Next  Wave  Volume  19, 

No.  2  (March  2012),  47-57. 

9.  Breaking-in  Research.  Editorial.  IEEE  Security  and  Privacy  March/ April 
2013. 

10.  Cybersecurity  Education  in  Universities.  Editorial.  IEEE  Security 
and  Privacy  July/August  2013. 

11.  Federated  Identity  Management  Systems:  A  Privacy-based  Character¬ 
ization.  IEEE  Security  and  Privacy  11,  5  September /October  2013, 
36-48. 

12.  The  CloudProxy  Tao  for  Trusted  Computing.  Preliminary  version 
available  as  University  of  California,  Berkeley  Technical  Report  No, 
UCB/EECS-2013-135,  July  2013.  With  John  Manferdelli  and  Tom 
Roeder. 
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13.  When  Not  All  Bits  Are  Equal:  Incorporating  ”  Worth”  into  Information- 
Flow  Measures.  POST  2014  Principles  of  Security  and  Trust  (Greno¬ 
ble,  France,  April  2014)  Lecture  Notes  in  Computer  Science,  vol  8414. 
M.  Abadi  and  S.  Krerner  Eds.  120-139.  With  Mario  Alvim  and  Andre 
Scedrov. 

14.  Incentivizing  Quality  and  Impact:  Evaluating  Scholarship  in  Hiring, 
Tenure,  and  Promotion.  Best  Practices  Memo,  Computing  Research 
Association,  Adopted  February  2015.  With  Batya  Friedman,  http: 

/ /www . era . org/uploads/ documents/resources/bpmemos/BP_Memo 

15.  Enforcing  Privacy  Policies  with  Meta-Code.  6th  ACM  SIGOPS  Asia- 
Pacific  Workshop  on  Systems,  (Tokyo,  Japan,  July  2015).  WithHavard 
Johansen,  Eleanor  Birrell,  Robbert  van  Renesse,  Magnus  Stenhaug, 
and  Dag  Johansen. 

16.  Vive  La  Difference:  Paxos  vs.  Viewstamped  Replication  vs.  Zab.  IEEE 
Transactions  on  Dependable  and  Secure  Computing  12,  4  (July-Aug. 
2015),  472-484.  With  Robbert  van  Renesse  and  Nicolas  Schiper. 

17.  Omni-Kernel:  An  Operating  System  Architecture  for  Pervasive  Mon¬ 
itoring  and  Scheduling.  IEEE  Transactions  on  Parallel  &  Distributed 
Systems  26,  10  (October  2015),  2849-2862.  With  Age  Kvalnes,  Dag 
Johansen,  Robbert  van  Renesse,  and  Steffen  Valvag. 

18.  JRIF:  Reactive  Information  Flow  Control  for  Java.  Submitted  for 
publication.  Preliminary  version  available  as  eConnnons  technical  re¬ 
port  1813/41194,  Oct  24,  2015.  With  Elisavet  Kozyri,  Owen  Arden, 
Andrew  C.  Myers. 
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